The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. SLC Security is now owned and operated by Jigsaw Security Enterprise. We are currently in process and as such this blog will eventually be taken offline and merged with Jigsaw Security resources.

Sunday, March 29, 2015

Advantage Dental ("Advantage"), an Oregon-based dental services
provider notified 151,626 patients of a breach of personal patient
protected health information (PHI/HIPAA) after its intrusion detection
system discovered an internal database at Advantage was illegally
accessed. The unauthorized access occurred between February 23, 2015
and February 26, 2015. The intruder was able to gain access to this
database through a computer that had been infected with malware.
Advantage terminated the illegal access immediately upon discovery on
February 26, 2015. The intrusion resulted in the unauthorized access to
the name, date of birth, phone number, social security number, and home
address. No treatment, payment, or any other financial data was
accessed.

Thursday, March 26, 2015

Just like in previous disclosures that we have provided information within a few hours we end up coming under attack and just like the last time we say please by all means hit us so we can map out your networks and infected host...

This is a lesson in how to map out a botnet in real time. Thanks guys!

SLC Security Services LLC has discovered a previously unknown BOTNET network. We will be adding the indicators to our paid feeds. We had previously been seeing the nodes responding to various internet host but we couldn't get the host to respond to any of the request we sent. Apparently the bot command and control requires a certain sequence of ports to be queried prior to the C+C actually responding to the infected bot request in a normal fashion.

More information is being sent out via our alert feed to our paid subscribers.

UPDATE: Updated indicators have been rolled out to our client systems. If you see any indicators triggering with "BOTLICK" as the alert type page our on call contact specified in your contract. We would love to catch an active client so we can determine the initial infection vectors.

ADDITIONAL INDICATORS:
If you see encrypted traffic going to any of the following IP addresses please check your source for processes that should not be running. This is affecting Windows 7 and Windows 8 PC's.

ADDITIONAL DETAILS:
Our security analyst have been able to determine that there are at least 300+ host connected to the last indicator 36.79.171.47. We were able to pull in some additional data from our partners honeypots and network sensors to get a rough count of the activity level going to this system.

UPDATE: We are also seeing large numbers of connections to 80.82.64.201 as well.

The system appears to be in Indonesia and is connected via cable modem. We are actively working with the ISP to see if they can provide any additional details.

While we can't name any particular names at this time we have started seeing indicators of another related attack originating out of China aimed at US Healthcare entities. This time another well known affiliate of a previously breached healthcare entity appears to be attacking other Healthcare entities in California and Arizona.

Additional research is being done at this time but it appears as though a new malware variant is being sent via Phishing emails and they are coming from other healthcare entities so it appears as legitimate traffic which may be problematic as they may be assumed to be trusted entities.

The malware is being sent via email and is in zip, exe and also embedded HTML to infected flash websites. UPDATE: And now we are seeing PDF and word document with the same payload.

Updates will be posted here as we can obtain additional information. It appears as though one individual was also socially engineered to get malware inside an organization in Arizona. Additional reports are coming in from Utah and North Dakota as well.

Additional Details:
After researching we have noted that the botnet post from yesterday seems to be directly related to the compromised host. - Additional IP's (Indicators) can be seen in this post.

After our report yesterday we also noted similar activity to what was seen prior to the Anthem, Community Health Systems and several University breaches we have been tracking.

If you run snort we have sent out the snort signatures (a total of 5 of them via our alert mailing list).

MOVED TO MAILING LIST - In addition another Intel provider may have already leaked the information this past week.... Have a good weekend everybody!

We have been seeing many reports of Apple phishing schemes to include over 100 pages hosted at ovh.net. The scheme starts by emailing users purchase confirmations that look nearly identical to Apples legitimate purchase notifications but the links to cancel or verify the purchase lead to ovh.net and we have also noted xcelwings.com to be hosting similar content.

Ensure that you are verifying that you are connected to Apple to use secure pay or any of the other methods of purchase from the Apple store and be leary of any verification emails received. At a minimum verify that the domain is an actual Apple domain before proceeding.

Wednesday, March 25, 2015

It goes without saying that the number of terrorist events over the past 2 weeks is quite alarming and as of the last 2 months the activity worldwide has increased. The number of attacks outside of traditional unstable areas has risen as well as the Iran and Israel debacle has some intelligence analyst shaking their heads.

With the revelation that the pilot of the Germanwings crash was locked out of the cockpit, US terror attack of TSA agents and many other incidents not being covered in the mainstream media we have to take note. In addition a constant barrage of hacking from China's "PANDA" crew, Iran hashing deals with long reaching effects in the middle east and many areas of instability. Things are about to get interesting.

The recent revelation that the US is supporting Iranian fighters in the region with air strikes things lately have seemed to be turned on their heads. What's next? We can tell you that we have picked up additional activity with some well financed groups in the middle east, messages hidden in images (stenography) with cryptic messages from the middle east and plenty more items that just cause us to wonder what is really going on out there.

Keep your eyes and ears open folks. Things are changing quicker than intelligence agency's can keep up and private entities are also struggling to keep up with changing conditions to keep our travelers and employees safe.

There are many types of terror related activities to be aware of in addition to the theft of your corporate secrets and we will be expanding the scope of intelligence that we post in the coming weeks. No longer will we simply focus on data leaks (although we will continue to provide the information we have been providing). There comes a time when information needs to be put out there so that business leaders and enterprises can maintain situational awareness and security of personnel and assets. While there are many organizations out there that claim to provide these types of service and Government bulletins and advisories come out often time this information is released to the public well after the fact so our goal is to get you actionable intelligence before it's too late.

We thank you all for your continued support. We recommend that if you read out blog frequently and find the information useful that you subscribe to our alerts mailing list. We will only mail you once a day or when critical information needs to be put out in a timely fashion and we include much more granular details in our mailing list that may assist you in making smarter and safer business decisions in an effective manner.

Why on earth would NC REN be running a publicly accessible proxy server on their networks? This would definitely indicate either a misconfiguration or an attempt to research what Internet users would do with such a system.

Interesting to say the least...

SOURCE:
Information was researched by Maxmind as part of this statement.

Monday, March 23, 2015

Our OSINT monitoring is showing that a server at Berkeley has been compromised. Currently the site is reporting to be on IP 181.224.147.237 but indications show that problems started on the 19th of March. It's not a good time to be in the educational sector as sites are getting hit nearly daily.

Friday, March 13, 2015

CPA leaks payroll information. Interesting thing happened today while we were reviewing faxes received by our company. We started receiving faxes from a local CPA firm containing payroll information. It could be that the CPA firm did not verify whom it was sending the information to before sending the fax and did not verify that the fax was received.

We are reaching out to the CPA firm for comment and will update this information once we receive a response.

Total Number of Records: 7 Pages
Received via: Fax Machine
Type: Inadvertent Disclosure

Update: We attempted to contact the organization via their website and guess what...

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
info@williamfarrellcpapc.com
The mail server could not deliver mail to info@williamfarrellcpapc.com. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.

More than 51,000 current Highmark health insurance customers in
Pennsylvania will receive letters this week notifying them that their
personal information may have been stolen as part of the larger Anthem
Inc. data heist.

Those customers are in Highmark’s Western and Central Pennsylvania
markets, 49 counties in all. “Letters are going out now,” spokesman
Aaron Billger said.

What is interesting is that Highmark has been noted in Open Source feeds as having compromised systems in the past as well. This may have been part of the vectors used to gain access to Anthem and deserves a second look.

Thursday, March 12, 2015

SLC Security will be performing upgrades to our internal telephone system on 13 March between 12:00AM and 4:00AM (CDT). During this event all calls to our 24X7 monitoring staff may experience unexpected disconnects and/or periods where technical staff may not be available.

During this time you may page us by reviewing your contract. All contracts include a paging support number where you can get an immediate call back. This service will be available without interruption during this time period.

Monday, March 2, 2015

Previously we have reported as has DataBreaches.net on University of Chicago. I saw today where they have indicated that they have been breached by Carbonic. It goes without saying that unless these organizations take our warnings seriously they will all fall one by one.

SLC Security Services LLC is the leader in Cloud predictive analytics. We have been naming potential breach victims with a 98% success rate since last June when we started our cloud computing system.

Sunday, March 1, 2015

It goes without saying that the Government even with their many billions of dollars on security have failed to stop the ex-filtration of highly classified material. Just look at Wikileaks and the Bradley Manning (or Chelsea to be correct now) case. While the Government performs background checks on individuals, facilities, etc. these leaks do happen. Think about how companies are being affected today. They have less money invested and the auditors that give them the all clear are not checking the very hacking vectors that are being used to steal peoples information, trade secrets and more.

It really irritates us when we see companies being breached that have hired these large security firms that only concentrate on the infrastructure, malware and viruses. You folks do realize that over85% of the time a successful attack is the result of successful social engineering or bypassing weak security features in products that are not usually checked in an audit.

While we won't give away all of our auditing steps we can tell you that the normal audit only covers about 30% of the areas that should be checked. And while you should be checking other areas before giving a certification we understand that you are there to do only one job. Keep hiring the Mandiants, the Dell SecureWorks and others (oh and by the way Dell's feed data is all out of date and inaccurate in most cases) and wonder why your companies still get breached. Your getting breached folks because your not checking the actual vectors that are being used and your not changing with the times.

Sure your employees may pickup on somebody calling them claiming to be from the help desk, or maybe they won't. And maybe your employees are using secure (truly insecure) corporate messaging products away from the office and leaving a clear way into your network (you are paying attention here right?). Have you checked to make sure what the company claims is in fact the case? Can their encryption be hijacked? I bet it can with the right knowledge and time. Stop taking these large companies at their word just because they are large companies that have been around for awhile.

Good luck folks. If you want a real audit conducted contact us. It will be extensive, concise and complete.

Despite our previous warnings we are now seeing indications that Wake Health is being specifically targeted by external actors. While we have talked to them on at least one occasion by phone and several post have been made to the blog they have continued to ignore the information we have sent to them.

Today we started seeing information indicating that they are specifically being targeted. These are the same types of indicators that we noted from Anthem months before they acknowledged that they were breached. It is our belief that Wake Health will be the next entity to see similar issues.

What starts out as probes end up with infiltration and we can tell you from previous visits that Wake Health is not protecting PHI concerning patients. They have taken the same route as some other entities in ignoring our warnings and are not a client so we are helpless to help them.

Specifically we are seeing that compromised servers in Switzerland and in Russia are being used to target their employees. It will only take one slip up and they will suffer the same fate as Anthem and some of the educational institutions we have been alerting on.

Again Wake you should seriously hire us to secure your network. I am pretty sure it's probably already too late but you can't say we didn't warn you numerous times to this type of activity.

Here is what is known to date:
1. Wake Health has been leaking PHI for well over a year. The information was more than likely being used to collect information such as usernames (which we have observed as well).
2. Domains and existing malicious actors are utilizing previously compromised host to send email to Wake's employees to infect their infrastructure with targeted malware (cannot confirm but this is the same pattern we have previously observed).
3. Patient information and PHI is currently being shopped in underground markets so this is an indicator that they may have already been compromised yet they have not acknowledged (and they ignored our previous warnings).

We will update if we see any information but will only talk to Wake Health directly concerning this matter and only if under contract.

Subscribe To Disclosures

Follow our disclosures by email?

About SLC Security

The driving factor in us deciding to provide this service to consumers is the growing cost of cybersecurity defense and notification systems. We are providing an RSS feed of content as a public service. It is our policy to only release the full details of data breach information directly to the companies or entity that was the target of the breach or attack. If you need assistance researching the source of the breach or leak please visit SLC Security Services LLC to obtain assistance.

NOTICE: All information posted to this blog is derived from open source intelligence systems developed by SLC Security Services LLC. The OSINT-X platform is available via subscription and via a paid RSS Feed. The OSINT-X system only maintains 90 days but this timeframe may and will change without notice depending on the amount of data we are processing. We also provide a delayed RSS feed that may not contain all feed sources. The public RSS feed is on this page on the right hand side and is provided without charge. The moderators of this site are all volunteers and are not paid for their services. If your company needs a TSCM Sweep or Vulnerability assessment feel free to contact us through the contact form on this page or call us at (717) 831-TSCM to schedule an audit.

NOTICE: Starting in January 2015 we will only discuss issues on the blog or in our feeds with the clients directly. We receive upward of 200+ calls per day requesting information. It is impossible for our volunteers to field that number of calls and still get our work done. While we would love to help every person that calls remember we are a for profit business and answering calls takes time. If we are not busy you may get in touch with us. The best approach is to email us at soc@slcsecurity.com instead of calling. Please include your name, telephone number and a brief reason for the call or communication and we will get back to you as soon as possible time permitting.

About this Page

The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. We will include information on what type of information is being leaked but we will not release the methods in which the information is being leaked unless we are under non-disclosure agreements with the organization. The information posted on this site will contain scrubbed information if we release it to protect the information source and to ensure that the person or persons being affected are not farther harmed by the disclosure of their personal information.

Before a breach is reported it is reported to the entity affected and we normally wait at least 5 days for a response. We only post disclosures whenever there have been no response by the organization or when it involves confirmed leaks or we can verify that the security issue has not been resolved by the organization. Certain items will remain on the blog if they are a major release or new information is being posted frequently concerning the incident.

We do NOT maintain data on the leaked information as we would not want to create a second incident. Reports are submitted by security researchers, patients, clients, corporations and through open source identification as well as through passive monitoring of open source systems and proprietary algorithms.

The information on this site is provided by SLC Security Services LLC a leading cyber security and investigation company located in Raleigh, NC. If your company appears on this list and you would like additional information you may contact us by mail at 2664 Timber Dr Suite 342 Garner NC 27529 or by email via the contact form available at www.slcsecurity.com or by phone at (717)831-8726.

The Stats

Reporting Stats are available upon written request.

Please report all known security issues to soc@slcsecurity.com. We will review each report manually whenever possible. Please note that not all reports will be published to the disclosure list. Also you can specifically request that the data NOT be posted during your submission.

RSS OSINT-X FEED PERMALINKFeed Delayed 30-60 MinutesNot all sources we monitor are in this RSS feed. This feed contains mostly news sites but does not include IRC, Darknet or File Dump site monitoring that our commercial products monitor for your organization. This feed is limited in scope. For full access you must be a customer under a service contract. If interested in a full service contract call (919)441-7353 to inquire about pricing and services available.